Privacy Policy

Last updated: March 31, 2026

1. Who We Are

PayFest (“we”, “us”, “our”) operates the payfest.io platform, a closed-loop NFC cashless payment system for festivals and events. This Privacy Policy explains how we collect, use, store, and protect personal information when you visit our website, use our platform as an event organizer (“Organizer”), or participate as an attendee (“Attendee”) at an event using PayFest technology.

Contact: [email protected]

2. Data Controller vs. Data Processor

When PayFest acts as a Data Processor: When an Organizer uses PayFest to manage cashless payments at their event, the Organizer is the Data Controller for attendee personal data (names, phone numbers, transaction history). PayFest processes this data solely on the Organizer’s behalf and according to their instructions, as defined in our Data Processing Agreement (DPA).

When PayFest acts as a Data Controller: PayFest is the Data Controller for: (a) personal data of Organizers and their staff who create accounts on our platform; (b) data collected through our website (payfest.io); (c) data necessary for platform security, fraud detection, and legal compliance.

Organizers are responsible for providing appropriate privacy notices to their Attendees regarding the use of cashless payment technology at their events.

3. Data We Collect

From Organizers and Staff (Account Data)

  • Full name, email address, organization name
  • Login credentials (passwords stored as bcrypt hashes; we never store plaintext passwords)
  • Role and permission assignments
  • Device information for registered mobile terminals

From Event Attendees (on behalf of Organizers)

  • Name (as provided during registration at the event)
  • Phone number (last 4 digits only — we do not store full phone numbers)
  • NFC card/card unique identifier (UID)
  • Transaction data: amounts, timestamps, merchant, transaction type
  • Wallet balance

From Mobile App Users (Merchants, Cashiers)

  • Device information (model, OS version, app version) for diagnostics
  • Error/crash logs (uploaded only when manually triggered by the user)

From Website Visitors

  • Standard server logs (IP address, browser type, pages visited)
  • We do not use third-party advertising trackers or analytics cookies

Data We Do NOT Collect

  • Credit card numbers, bank account details, or other financial instrument data. PayFest is a closed-loop balance system.
  • Biometric data
  • Location data (GPS)

4. How We Use Your Data

  • Service delivery: Processing transactions, managing NFC cards, maintaining wallet balances, generating analytics and reports.
  • Security and fraud detection: Monitoring transactions for suspicious patterns, enforcing rate limits, PIN lockout protections, and maintaining audit logs.
  • Platform improvement: Analyzing aggregated, anonymized usage patterns to improve performance and reliability.
  • Communication: Sending service-related notices to Organizers (not marketing).
  • Legal compliance: Maintaining transaction records as required by financial regulations.

5. Data Sharing

We do not sell, rent, or trade personal information to third parties. We may share data with:

  • Event Organizers: Attendee transaction data and analytics are accessible to the Organizer who deployed PayFest at their event.
  • Infrastructure providers: Our platform is hosted on Contabo GmbH servers located in Germany. Contabo acts as a sub-processor with appropriate data protection measures.
  • Legal authorities: When required by law, court order, or to protect rights, property, or safety.

We do not use third-party advertising networks, social media tracking pixels, or data brokers.

6. Data Retention

  • Organizer account data: Duration of the account + 12 months after deletion
  • Attendee personal data: 90 days after event conclusion, unless the Organizer requests earlier deletion
  • Transaction records: 5 years after the event (legal/financial compliance)
  • Audit logs: 5 years
  • Fraud alerts: 2 years
  • Diagnostic/crash logs: 90 days
  • Server access logs: 30 days

7. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit: All data is encrypted using TLS 1.2+
  • NFC card security: Card data is signed with HMAC-SHA256
  • Access controls: Role-based access control (RBAC) with six distinct permission levels
  • Password security: All passwords and PINs are hashed using bcrypt with 12 salt rounds
  • Rate limiting: PIN lockout after 3 failed attempts (5-minute cooldown)
  • Audit trail: All administrative actions logged in an immutable audit log
  • Infrastructure: Docker containerized deployment with network isolation. Internal services not exposed to the public internet.
  • Security headers: HSTS, CSP, and other security headers enforced

8. International Data Transfers

Our servers are located in Germany (Contabo GmbH). If you access our services from outside the European Economic Area (EEA), your data will be transferred to and processed in Germany, which is within the EEA and subject to GDPR protections. We do not routinely transfer personal data outside the EEA.

9. Cookies

PayFest uses only strictly necessary cookies:

  • Authentication tokens: JWT tokens stored in browser memory for session management on the admin dashboard. Essential for the platform to function.

We do not use third-party analytics cookies, advertising cookies, social media cookies, or tracking pixels.

10. Your Rights (GDPR)

If you are in the EEA or UK, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion, subject to legal retention requirements
  • Restrict processing: Request limits on how we use your data
  • Data portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent

For Attendees: Because PayFest processes attendee data on behalf of Organizers, rights requests should first be directed to the event Organizer. If unable to reach the Organizer, contact us at [email protected].

For Organizers: Submit requests to [email protected]. We will respond within 30 days.

11. Children’s Privacy

PayFest services are not directed at children under 16. We do not knowingly collect personal data from children. If an event permits minors to use NFC cards, the Organizer is responsible for obtaining parental or guardian consent as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Organizers of material changes via email at least 30 days before they take effect. The “Last Updated” date at the top indicates the most recent revision.